Spain
Portugal
Deep Instinct recercers discovered a new company using remote access Trojans (RAT) Strat and Ratty, whose operators use MSI/JAR and CAB/JAR files to avoid detection.
Polyglot files combine two or more formats in such a way that they can be accurately interpreted and run by several different applications.
Attackers are making steady progress, even considering how old and well-studied both RAT are.
For several years, software operators have been using polyglot files to hide malicious code and circumvent security measures. This technique has also been used recently by the operators of the StrelaStealer malware targeting Outlook and Thunderbird accounts.
And no wonder, Deep Instinct in the last campaign observed the unification of JAR and MSI formats into one file, which was recorded back in 2018.
JAR files are archives identified by an entry at the end, whereas in MSI the file type identifier with a header at the beginning of the file, so attackers can easily combine the two formats into one file.
The dual format allows them to be executed as an MSI in Windows, as well as as a JAR file by the Java runtime environment.
JAR files are not executable files, so they are not so thoroughly checked by antivirus tools. This allows them to hide malicious code and force the AV to scan the MSI part of the file that needs to pass verification.
In the new Deep Instinct campaign, CAB/JAR combinations were noticed instead of MSI, also associated with the mentioned RAT families. CAB files are also a good option for multilingual combinations with JAR, having the necessary header to interpret the file type.
Polyglot used in the campaign is distributed via Sendgrid and URL shortening services (Cutt.ly and Rebrand.ly ), and the extracted payloads Strat and Ratty are stored in Discord.
As for CAB/JAR detection, the level ranges from 10% to 50% (6 positive results out of 59 antivirus cores on Virus Total, the variant with MSI has 30).
Deep Instinct reports that many of the detected Polyglots for both Strat and Ratty use the same C2 and are hosted by the same Bulgarian hosting company.
Thus, it is quite possible that both strains are used in the same campaign conducted by the same operator.
